Navia Benefit Solutions
2.7 million people trusted their employer's benefits platform with their most sensitive data.
What happened?
On March 19, 2026, Navia Benefit Solutions disclosed a data breach affecting 2.7 million individuals. Navia administers flexible spending accounts (FSAs), health savings accounts (HSAs), and other employee benefits programs for companies across the United States. Attackers accessed systems containing Social Security numbers and benefits account data.
What data was actually inside?
Social Security numbers and benefits account data. Benefits platforms are uniquely sensitive because they aggregate identity information with financial data—account numbers, contribution amounts, claims history, and employer associations.
Unlike a typical HR breach, benefits data can reveal health conditions through FSA claims, family structure through dependent information, and financial situations through contribution levels.
Who gets hurt and how?
2.7 million employees who enrolled in benefits through their employers. They signed up for FSAs and HSAs to save money on healthcare—not to have their Social Security numbers stolen. The breach creates risk of identity theft, tax fraud, and account takeover.
Benefits data can also be used for targeted phishing. Attackers know where people work, what benefits they have, and can craft convincing messages using that context.
What did they think they were doing right?
Navia is a third-party benefits administrator. Companies outsource this function specifically because benefits administration requires handling sensitive data securely. Navia had security controls, compliance certifications, and enterprise clients who trusted them with employee data.
Employers chose Navia because managing benefits in-house was considered riskier. That assumption didn't hold.
What did they not know about their own data?
Navia didn't know—or didn't adequately protect—the fact that 2.7 million Social Security numbers were accessible through their systems. Benefits platforms aggregate data from hundreds of employers, creating concentrated risk. Each employer sends employee rosters, SSNs, and contribution data. That aggregation is the product—and the liability.
They likely knew they had SSNs. They didn't know how exposed those SSNs were until attackers demonstrated it.
What does attribution look like the morning after?
Navia had to notify 2.7 million individuals across an unknown number of employers. Each employer's HR team is now fielding questions. Employees are checking their credit reports, freezing accounts, and watching for fraudulent tax filings.
For Navia, the business impact is severe. When your entire value proposition is handling sensitive data securely, a breach is existential.
What would have changed the outcome?
Knowing exactly where SSNs live and how they're protected.
If Navia had mapped every system containing Social Security numbers, they could have prioritized protection, detected unusual access patterns, and limited the blast radius. 2.7 million SSNs in one place should trigger heightened monitoring. Instead, they learned what was there when attackers took it.
Don't Learn What You Have From an Attacker
Navia didn't know how exposed 2.7 million SSNs were until attackers showed them. Risk Finder shows you first.
Start Your Risk Assessment